Help with Multiple AD/LDAP

Ryan Kramer rkramer at gmail.com
Mon Jun 11 17:30:59 CEST 2007


Hello,

I'm working on a new config to allow multiple AD servers to be hit, and am
running into a problem.  Just a quick background, I have one server that has
multiple root level OU's with users under it.  It may not be the recommended
design, but for our needs it is suitable.  I've set up freeradius with three
unique ldap entries, all connecting to the same AD server but under
different OU's.

Anyway, in users.conf I've got this:

DEFAULT Ldap-Group == "WIFIUSER"
        Filter-ID = "WIFIUSER",
        Fall-Through=1


radiusd.conf

authorize {
...
LDAP1
LDAP2
LDAP3
}


which will return group=WIFIUSER in the accept-accept if the user is in the
WIFIUSER AD group.  The problem is it only works if the user exists in the
last LDAP entry that is listed.  it will still return an accept-accept, but
no group, if they aren't in the last OU.  (In the example above, a user in
the LDAP1 OU would not get the WIFUSER group accept-accept, even though they
are in it.  Moving LDAP1 to the bottom would make it work.

Any suggestions?

Ryan Kramer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070611/8c674411/attachment.html>


More information about the Freeradius-Users mailing list